Data Access Advisory Group (DAAG)

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Data Access Advisory Group (DAAG)"

Transcription

1 Data Access Advisory Group (DAAG) Minutes of meeting held 14 October 2016 Members: John Craven, Dawn Foster, James Wilson In attendance: Garry Coleman, Frances Hancox, James Humphries-Hart, Julia King, Stuart Richardson, Danny Solomon, Vicki Williams Apologies: Joanne Bailey, Eve Sariyiannidou, Peter Short 1 Welcome and introductions It was confirmed that James Wilson would act as chair for the purpose of this meeting. Declaration of interests No relevant interests were declared Data applications Chiltern CCG (Presenter: Stuart Richardson) NIC W5L3J Application: This application requested Secondary Uses Service (SUS) data identifiable at the level of NHS number for risk stratification, invoice validation and commissioning purposes, in addition to pseudonymised SUS data, local provider flows, mental health data (MHMDS, MHSDS, MHLDDS), maternity data (MSDS), Improving Access to Psychological Therapies (IAPT), Children and Young People s Health (CYPHs), and Diagnostic Imaging Dataset (DIDs) data for commissioning purposes. DAAG had previously considered an application for a larger amount of identifiable data at the 4 October 2016 meeting but had deferred making a recommendation as a clearer justification was needed for the use of identifiable rather than pseudonymised data. NHS Digital had reviewed the CCG privacy notice and provided feedback on points that needed to be addressed to reach the appropriate standard. DAAG were informed that South, Central and West CSU would act as a data processor and that both organisations held appropriate DPA registrations and satisfactory reviewed IG Toolkit scores. Discussion: DAAG noted that the applicant was now requesting pseudonymised data for everything but the specific purposes of risk stratification and invoice validation, which would still require identifiable data. Data destruction was discussed and it was confirmed that CCGs would be required to securely destroy any previously held data that was not covered by a current data sharing agreement (DSA). DAAG noted that the application did not list the dataset periods for data already held, and it would be important to ensure that all the relevant data was destroyed. It was suggested that the following wording should be included as a special condition in all similar DSAs: The CCG, through working with its data processors, will confirm the dataset periods of the datasets listed as already held (section 3). This will be notified to NHS Digital via the Data Services for Commissioners team within 1 month of the signing of this agreement, together with a certificate of destruction (as applicable) from the CCG (where they are controller for that data) and the data processors listed (where they are holding data as data controller) for all datasets and dataset periods other than those that will be listed within section 3 of the amended agreement, else the current agreement will cease at the end of the one month Page 1 of 13

2 period. Once confirmed, an amended agreement detailing those years will be provided by NHS Digital to replace this agreement. It was noted that the privacy notice link included within this application contained an error and DAAG asked for the application to be updated to include the correct link. There was a discussion of the NHS Digital audit process and it was confirmed that audits of a selection of CCGs would be undertaken in future to consider how the requirements of the DSA were being met. It was confirmed that applicants were made aware of the possibility of future audit. Outcome: Recommendation to approve, subject to caveats: Updating the privacy notice link within the application. Confirmation that the CCG have amended their privacy notice so that it accurately 2.2 Group application for 3 CCGs 1 (Presenter: Stuart Richardson) GA02-CON-CS Application: This application requested SUS data identifiable at the level of NHS number for risk stratification and invoice validation, in addition to pseudonymised SUS, local flows, mental health data (MHMDS, MHSDS, MHLDDS), MSDS, IAPT, CYPHs, and DIDs data for commissioning purposes. DAAG had previously considered an application for a larger amount of identifiable data at the 4 October 2016 meeting but had deferred making a recommendation as a clearer justification was needed for the use of identifiable rather than pseudonymised data. DAAG were informed that data would flow from the DSCRO to each CCG directly, with no other organisations acting as data processors. Each CCG had achieved a satisfactory IG Toolkit score, although it was acknowledged that an improvement plan was in place for Gloucestershire CCG, and each CCG held an appropriate DPA registration. NHS Digital had reviewed the CCG privacy notice and provided feedback on points that needed to be addressed to reach the appropriate standard. Discussion: DAAG requested further assurances regarding the IG Toolkit improvement plan for Gloucestershire CCG, to ensure that this did not include any areas of concern that would affect the dissemination of data. A query was raised about the involvement of Royal Cornwall Hospitals NHS Trust. It was 1 NHS Gloucestershire CCG NIC S2P1V, NHS Swindon CCG NIC M7Y0M, NHS Kernow CCG NIC Q6G7J Page 2 of 13

3 clarified that some Kernow CCG staff worked within the hospital building referred to and would process data at this location, but that only Kernow CCG employees would have access to the data and the CCG would remain responsible for all processing. Outcome: Recommendation to approve, subject to caveats: Providing satisfactory assurance that the IG Toolkit improvement plan for Gloucestershire CCG does not raise any concerns relevant to this dissemination of data. Confirmation that the CCG have amended their privacy notice so that it accurately 2.3 Herts Valley CCG (Presenter: Stuart Richardson) NIC D6X5Y Application: This application requested SUS data identifiable at the level of NHS number for risk stratification and invoice validation, in addition to pseudonymised SUS, local flows, MSDS and DIDs data for commissioning purposes. Optum Health Solutions Limited and MedeAnalytics International Ltd would act as data processors and it was confirmed all three organisations had achieved satisfactory IG Toolkit scores and held current DPA registrations. NHS Digital had reviewed the CCG privacy notice and provided feedback on points that needed to be addressed to reach the appropriate standard. DAAG were informed that the CCG had now indicated that they would not make use of primary care data for risk stratification, and that the application and data flow diagram would need to be updated to reflect this. Discussion: DAAG noted that the DPA registrations for MedeAnalytics and Optum did not refer to processing health data about patients or health service users, and DAAG therefore repeated their previous advice that the organisations should amend their registrations to include this. DAAG queried the role of Optum in invoice validation as it was unclear whether they carried out any data processing or simply acted as a landing stage before passing the data on. In addition DAAG queried whether a CSU was included in this data flow as it was thought that this had previously been a technical requirement for DSCROs to release data for invoice validation. Outcome: Recommendation to approve, subject to caveats: Updating the application and data flow diagram to show that primary care data from general practices will not be used in relation to risk stratification. Clarification of the role of Optum in relation to invoice validation, and whether the CSU is involved in this data flow. Page 3 of 13

4 Confirmation that the data destruction notice will include appropriate wording to be Confirmation that the CCG have amended their privacy notice so that it accurately Confirmation that a special condition will be included within the DSA to state that: As a DAAG advised that MedeAnalytics and Optum should update their DPA registrations to be clear that they process data about patients or health service users. 2.4 East and North Hertfordshire CCG (Presenter: Stuart Richardson) NIC K9X4J Application: This application requested SUS data identifiable at the level of NHS number for risk stratification, invoice validation and commissioning purposes, in addition to pseudonymised local flows and MSDS data also for commissioning purposes. DAAG were informed that the applicant had also requested to retain their status as a Stage One Accredited Safe Haven (ASH) in order for identifiable data to be processed by their data processor, MedeAnalytics. It was confirmed both organisations held current DPA registrations and had achieved satisfactory IG Toolkit scores. NHS Digital had reviewed the CCG privacy notice and provided feedback on points that should be addressed. Discussion: DAAG queried the need for identifiable SUS data for commissioning purposes. It was clarified that while identifiable data would flow to MedeAnalytics as data processor, as part of the same flow of identifiable SUS data that would be used for risk stratification and invoice validation, only pseudonymised SUS data would be provided on to the CCG. In addition it was confirmed that the CCG already had a previous agreement in place to process identifiable SUS data as a Stage One ASH. Confirmation was requested of whether a CSU was involved in the flow of data for invoice validation. In addition DAAG asked for the application to be updated to specify the applicable section of the Health and Social Care Act DAAG queried the process by which MedeAnalytics would pseudonymise the SUS data before providing this on to the CCG, as it was unclear from the application how this would be carried out. In addition confirmation was requested of whether this would be linked to any other data, and if so how the linkage would be carried out. Outcome: Recommendation deferred, pending: Clarification of whether the CSU is involved in the data flow for invoice validation. Specifying which section of the Health and Social Care Act 2012 provides a legal basis for the release of data. Further clarification around the process used by MedeAnalytics to pseudonymise the SUS data that will be provided to the CCG, and whether this is linked to any other data. Confirmation that the CCG have amended their privacy notice so that it accurately Page 4 of 13

5 DAAG advised that MedeAnalytics should update their DPA registrations to be clear that they process data about patients or health service users. 2.5 Group application for 5 CCGs 2 (Presenter: Stuart Richardson) GA06-CON-NEL Application: This application requested SUS data identifiable at the level of NHS number for risk stratification and invoice validation, in addition to pseudonymised SUS, local flows, mental health data (MHMDS, MHSDS, MHLDDS), MSDS, IAPT, CYPHs, and DIDs data for commissioning purposes. Pseudonymised SUS data was also requested for risk stratification that would be carried out for three of the CCGs by North East London CSU, with PI Limited and Optum acting as data processors for the other CCGs. In addition, DAAG were informed that the Success Regime team hosted by Mid Essex CCG would act as a further data processor. The organisations all held current DPA registrations and had achieved satisfactory IG Toolkit scores. It was confirmed that the privacy notices for these CCGs had all been reviewed by NHS Digital and agreed to be appropriate. DAAG were informed that queries had previously been raised about the security assurance for Interxion UK, which was used as a data storage location by North East London CSU. Appropriate assurances had now been provided and wording would be included within the DSA to more clearly state that any access to the data by Interxion staff would be considered a breach of the agreement. Discussion: There was a discussion of the North East London CSU look-up table that would be used to reidentify patients for risk stratification. DAAG noted that the application referred to providing a letter or from the NHS Digital SIRO regarding this as a supporting document, but that the relevant document had not been included with the application. DAAG requested sight of this in order to consider the issue further. It was confirmed that work was underway to change arrangements within the CSU so that the look-up table would instead be hosted within the DSCRO, but that there were potential risks in making this change to the CSU and DSCRO infrastructure too quickly and the applicant had therefore requested to maintain current processes for up to six months while this work was undertaken. DAAG advised that they would hope to see the transition work completed as soon as reasonably possible. A query was raised about how the re-identification process would affect the application of patient objections. DAAG noted that the application summary appeared to be missing part of a sentence and it was agreed this wording would be corrected. In addition it was noted that the security section listed ISO details without specifying which organisation this applied to, and DAAG asked for the application to be updated to be clear this was for Interxion. DAAG noted the assurances provided regarding Interxion. An error in the proposed agreement end date was noted and it was agreed this would be corrected to state 31 March The role of the Success Regime hosted by Mid Essex CCG was discussed and DAAG were 2 NHS Basildon and Brentwood CCG NIC T2Y9M, NHS Castlepoint and Rochford CCG NIC G4G1R, NHS Mid Essex CCG NIC C6R2Z, NHS Southend CCG NIC J3L9V, NHS Thurrock CCG NIC W2B4Q Page 5 of 13

6 informed that this team would involve staff from each of the five CCGs. DAAG requested further information about the controls in place around what staff would have access to this data and for what purposes, as well as further information about the specific outputs and expected benefits of this use of data. In addition it was noted that the application stated that patient level data would not be shared outside of the CCG and DAAG suggested that this wording should be amended to allow for the use of data by the Success Regime. DAAG queried an inconsistency between the data flow diagram and the application and it was confirmed that pseudonymised data would be provided to the CSU for risk stratification, not identifiable data. It was agreed the application wording would be updated to reflect this. A further query was raised about whether the look-up table would be included in the destruction of identifiable data referred to in the application, or at what point in the future the look-up table would be destroyed. Outcome: Recommendation deferred, pending: Providing the letter referred to within the application from the NHS Digital SIRO regarding approach set out, for consideration by DAAG. Updating the application summary to correct an incomplete sentence. Amending the proposed agreement end date to 31 March Clarifying a statement that patient level data will not be shared outside each CCG. Updating the security assurance in section 7 to be clear that the ISO information provided relates to Interxion. Correcting a reference within the application to providing data identifiable at the level of NHS number to the CSU for risk stratification to instead state that this flow of data is pseudonymised. Clarification of the external controls in place around access to the look-up table hosted by North East London CSU. A reference to the destruction of previously held identifiable data should be amended to clarify whether this includes the look-up table, or at what point in the future the look-up table will be destroyed. Further information about the specific outputs and benefits relating to the use of data by the Success Regime. Further information regarding the staff accessing data as part of the Success Regime and what controls are in place around this. DAAG advised that Optum and PI Limited should update their DPA registrations to be clear that they process data about patients or health service users. DAAG noted the concerns that had been raised regarding the look-up table currently hosted by North East London CSU and advised that they would expect the work around this to be completed as soon as possible. 2.6 Haringey CCG (Presenter: Stuart Richardson) NIC S9N8M Page 6 of 13

7 Application: This application requested pseudonymised SUS, local flows, mental health data (MHMDS, MHSDS, MHLDDS), MSDS, IAPT, CYPHs, and DIDs data for the purposes of commissioning, with pseudonymised SUS data also being used for risk stratification and invoice validation. North East London CSU would act as data processor and it was confirmed both organisations held satisfactory IG Toolkit scores and appropriate DPA registrations. NHS Digital had reviewed the CCG privacy notice and provided feedback. Discussion: DAAG reiterated the points previously raised regarding the look-up table currently hosted by North East London CSU. Outcome: Recommendation deferred, pending: Providing the letter referred to within the application from the NHS Digital SIRO regarding approach set out, for consideration by DAAG. Updating the security assurance in section 7 to be clear that the ISO information provided relates to Interxion. Correcting a reference within the application to providing data identifiable at the level of NHS number to the CSU for risk stratification to instead state that this flow of data is pseudonymised. Clarification of the external controls in place around access to the look-up table hosted by North East London CSU. A reference to the destruction of previously held identifiable data should be amended to clarify whether this includes the look-up table, or at what point in the future the look-up table will be destroyed. Confirmation that the CCG have amended their privacy notice so that it accurately DAAG noted the concerns that had been raised regarding the look-up table currently hosted by North East London CSU and advised that they would expect the work around this to be completed as soon as possible. 2.7 Islington CCG (Presenter: Stuart Richardson) NIC T6C5M Application: This application requested pseudonymised SUS, local flows, mental health data (MHMDS, MHSDS, MHLDDS), MSDS, IAPT, CYPHs, and DIDs data for the purposes of commissioning, with pseudonymised SUS data also being used for risk stratification and invoice validation. North East London CSU would act as data processor and it was confirmed both organisations held satisfactory IG Toolkit scores and appropriate DPA registrations. NHS Digital had reviewed the CCG privacy notice and agreed that this appropriately reflected the use of data. Discussion: Given that only pseudonymised data was requested, DAAG queried a statement within the application that type 2 patient objections would be applied prior to identifiable data Page 7 of 13

8 being released from the DSCRO. It was confirmed that this was an error and the statement would be removed. Outcome: Recommendation deferred, pending: Removing a reference to applying type two objections before data leaves the DSCRO. Providing the letter referred to within the application from the NHS Digital SIRO regarding approach set out, for consideration by DAAG. Updating the security assurance in section 7 to be clear that the ISO information provided relates to Interxion. Correcting a reference within the application to providing data identifiable at the level of NHS number to the CSU for risk stratification to instead state that this flow of data is pseudonymised. Clarification of the external controls in place around access to the look-up table hosted by North East London CSU. A reference to the destruction of previously held identifiable data should be amended to clarify whether this includes the look-up table, or at what point in the future the look-up table will be destroyed. DAAG noted the concerns that had been raised regarding the look-up table currently hosted by North East London CSU and advised that they would expect the work around this to be completed as soon as possible. 2.8 Norwich CCG (Presenter: Stuart Richardson) NIC Z8D7Z Application: This application requested pseudonymised SUS, local flows, mental health data (MHMDS, MHSDS, MHLDDS), MSDS, IAPT, CYPHs, and DIDs data for the purposes of commissioning, with pseudonymised SUS data also being used for risk stratification and invoice validation. North of England CSU currently acted as data processor but in the following months this would change to North East London CSU, with data also flowing via a different DSCRO. It was confirmed the organisations held satisfactory IG Toolkit scores and appropriate DPA registrations. NHS Digital had reviewed the CCG privacy notice and provided feedback on points that needed to be addressed to reach the appropriate standard. Discussion: DAAG noted the transition between data processors, with a two month overlap period where data might be processed by both data processors. It was confirmed that at the end of the two month period the previous data processor would be required to destroy the data they held, and that this was reflected within the application. However DAAG noted that the application incorrectly stated that North of England CSU would pass identifiable data to North East London CSU, while in fact only pseudonymised data would be transferred. Clearer assurances were requested that appropriate processes would be in place for the safe transfer of data between the CSUs. In addition DAAG asked for a reference to data being processed for a period of time to be amended as this was considered overly vague, and it was noted that a reference to the CCGs should be amended to refer to a single CCG. Page 8 of 13

9 Outcome: Recommendation deferred, pending: Assurance that appropriate processes are in place for the safe transfer of data between North of England CSU and North East London CSU as part of the planned transition. Correcting a statement within the application processing activities section that North England CSU send the data identifiable at the level of NHS number is transferred securely to North East London CSU, and also correcting a reference to providing data to assist with the transition for a period of time. Providing the letter referred to within the application from the NHS Digital SIRO regarding approach set out, for consideration by DAAG. Updating the security assurance in section 7 to be clear that the ISO information provided relates to Interxion. Correcting a statement within the application to providing data identifiable at the level of NHS number to the CSU for risk stratification to instead state that this flow of data is pseudonymised. Clarification of the external controls in place around access to the look-up table hosted by North East London CSU. A reference to the destruction of previously held identifiable data should be amended to clarify whether this includes the look-up table, or at what point in the future the look-up table will be destroyed. DAAG noted the concerns that had been raised regarding the look-up table currently hosted by North East London CSU and advised that they would expect the work around this to be completed as soon as possible. 2.9 Group application for 3 CCGs 3 (Presenter: Stuart Richardson) GA02-CON-NEL Application: This application requested pseudonymised SUS, local flows, mental health data (MHMDS, MHSDS, MHLDDS), MSDS, IAPT, CYPHs, and DIDs data for the purposes of commissioning, with pseudonymised SUS data also being used for risk stratification and SUS data identifiable at the level of NHS number requested for invoice validation. North East London CSU and Queen Mary University of London would act as data processors on behalf of the CCGs, and it was noted that City & Hackney CCG would carry out their own data processing for invoice validation. It was confirmed the organisations held appropriate DPA registrations and had achieved satisfactory IG Toolkit scores. It was also confirmed that NHS Digital were in the processing of reviewing the CCG privacy notices. Discussion: DAAG queried the data processing carried out by Queen Mary University of London. It was considered unclear whether there was a justification for Queen Mary University of London to receive the full dataset or whether any data minimisation efforts could be made, 3 NHS City & Hackney CCG NIC R8P3L, NHS Newham CCG NIC L9M1J, NHS Tower Hamlets CCG NIC V2H8K Page 9 of 13

10 particularly as the outputs of this use of data seemed to refer only to asthma prescribing and A&E attendance. The data processing locations and storage locations for Queen Mary University of London were also queried as these were not described consistently within the application. It was noted that the application contained a statement that patient level data would not be shared outside the CCG, which contradicted the intention to share data with Queen Mary University of London. The use of general practice data by Queen Mary University of London was queried and DAAG noted that this work appeared to have been commissioned on behalf of the general practices associated with the CCG. Outcome: Recommendation deferred, pending: Clarification regarding the use of data by Queen Mary University of London and what data minimisation could be applied to the data that will be made available for these purposes. Correcting the processing and storage locations for Queen Mary University of London so that these are consistent. Clarifying a statement that patient level data will not be shared outside each CCG. Providing the letter referred to within the application from the NHS Digital SIRO regarding approach set out, for consideration by DAAG. Updating the security assurance in section 7 to be clear that the ISO information provided relates to Interxion. Correcting a statement within the application to providing data identifiable at the level of NHS number to the CSU for risk stratification to instead state that this flow of data is pseudonymised. Clarification of the external controls in place around access to the look-up table hosted by North East London CSU. A reference to the destruction of previously held identifiable data should be amended to clarify whether this includes the look-up table, or at what point in the future the look-up table will be destroyed. Confirmation that the CCG have amended their privacy notice so that it accurately DAAG noted the concerns that had been raised regarding the look-up table currently hosted by North East London CSU and advised that they would expect the work around this to be completed as soon as possible. Page 10 of 13

11 2.10 Group application for 3 CCGs 4 (Presenter: Stuart Richardson) GA07-CON-NEL Application: This application requested SUS data identifiable at the level of NHS number for risk stratification and invoice validation, in addition to pseudonymised SUS, local flows, mental health data (MHMDS, MHSDS, MHLDDS), MSDS, IAPT, CYPHs, and DIDs data for commissioning purposes. North East London CSU would act as a data processor, and MedeAnalytics would also act as a data processor on behalf of West Essex CCG only while South East CSU would act on behalf of North East Essex CCG only. Luton CCG were not requesting data for risk stratification at this time. It was confirmed the different organisations involved all held current DPA registrations and had achieved satisfactory IG Toolkit scores. NHS Digital had reviewed the privacy notice for Luton CCG and provided feedback on points that should be addressed, and had agreed that the privacy notices for the other two CCG privacy notices accurately described the use of this data. Discussion: DAAG asked for the application to be updated to specify the applicable section of the Health and Social Care Act Outcome: Recommendation to approve, subject to caveats: Specifying which section of the Health and Social Care Act 2012 provides a legal basis for the release of data. Updating the security assurance in section 7 to be clear that the ISO information provided relates to Interxion. Updating the data requested table to complete the information required. Confirmation that Luton CCG have amended their privacy notice so that it accurately DAAG advised that MedeAnalytics should update their DPA registrations to be clear that they process data about patients or health service users Cumbria CCG (Presenter: Stuart Richardson) NIC G4H9Z Application: This application requested SUS data identifiable at the level of NHS number for risk stratification, in addition to pseudonymised SUS, local flows, mental health data (MHMDS, MHSDS, MHLDDS), MSDS, IAPT, CYPHs, and DIDs data for commissioning purposes. The Academic Health Sciences Network (AHSN) and Advancing Quality Alliance (AQuA) hosted by Salford Royal NHS Foundation Trust would act as data processors, as would North of England 4 NHS Luton CCG NIC P9Z0Z, NHS North East Essex CCG NIC W3H2F, NHS West Essex CCG NIC W8F8C Page 11 of 13

12 CSU. In addition a Joint Working Team including both Cumbria CCG and Lancashire North CCG staff would process data as part of a local transformation exercise. It was confirmed the organisations held appropriate DPA registrations and satisfactory IG Toolkit scores. NHS Digital had reviewed the CCG privacy notice and provided feedback on points that needed to be addressed to reach the appropriate standard. Discussion: DAAG discussed the involvement of Lancashire North CCG and queried whether appropriate security assurances were in place for this CCG. It was noted that this CCG had previously applied for data via DAAG and therefore their security assurance would have been reviewed as part of that process. Given the activities outlined, DAAG felt that Cumbria CCG and Lancashire North CCG appeared to be acting as joint data controllers and it was suggested the application should be updated to reflect this. DAAG noted the involvement of the AHSN as a data processor and noted the confirmation that for this data processor, only substantive employees of Salford Royal NHS Foundation Trust would have access to data. However more information was requested on the specific outputs and benefits that would arise from this organisation and AQuA processing data, as this had not been specified within the application. It was noted that the IG Toolkit scores for a number of storage locations had not yet reviewed, and that these would need to be reviewed as satisfactory in order for a data sharing agreement to be completed that included these locations. In addition DAAG noted that the application stated patient level data would not be shared outside the CCG and that this statement would need to be amended to reflect the data sharing with the Joint Working Team. Outcome: Recommendation to approve, subject to caveats: Updating the application to list Lancashire North CCG as joint data controller along with Cumbria CCG, with confirmation of appropriate security assurance for Lancashire North CCG. Clarifying references to patient level data not being shared outside the CCG. Further information on the specific outputs and benefits for the work carried out by AQuA and AHSN. Confirmation that the IG Toolkit scores for the storage locations have been reviewed as satisfactory. Confirmation that the CCG have amended their privacy notice so that it accurately Page 12 of 13

13 3 Any other business DAAG were asked to consider three applications 5 that were previously deferred at the 4 October 2016 DAAG meeting, primarily due to outstanding queries regarding the security assurance for Interxion servers. However DAAG noted that the applications did not include the relevant meeting outcome and it was agreed that this should be updated in order for the applications to be considered under Any Other Business at the 18 October 2016 meeting. 5 Group application for 2 CCGs (NIC K7Z8G NHS North Norfolk CCG, NIC G3Z8L NHS South Norfolk CCG); NIC Enfield CCG; NIC West Norfolk CCG Page 13 of 13

All you need to know about new processes for data submission (almost)

All you need to know about new processes for data submission (almost) All you need to know about new processes for data submission (almost) Benjamin Ritchie, CORC Informatics Lead and Mark Hemsley, CORC Consultant unpack the details of data submissions for CORC members in

More information

HSCIC Audit of Data Sharing Activities:

HSCIC Audit of Data Sharing Activities: Directorate / Programme Data Dissemination Services Project / Work Data Sharing Audits Status Final Acting Director Chris Roebuck Version 1.0 Owner Rob Shaw Version issue date 19-Jan-2015 HSCIC Audit of

More information

DATA PROTECTION POLICY THE HOLST GROUP

DATA PROTECTION POLICY THE HOLST GROUP DATA PROTECTION POLICY THE HOLST GROUP INTRODUCTION The purpose of this document is to provide a concise policy regarding the data protection obligations of The Holst Group. The Holst Group is a data controller

More information

Wye Valley NHS Trust. Data protection audit report. Executive summary June 2017

Wye Valley NHS Trust. Data protection audit report. Executive summary June 2017 Wye Valley NHS Trust Data protection audit report Executive summary June 2017 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act

More information

Social care: local sponsorship model application process guidance

Social care: local sponsorship model application process guidance Social care: local sponsorship model application process guidance Published August 2017 Copyright 2017Health and Social Care Information Centre. The Health and Social Care Information Centre is a non-departmental

More information

INFORMATION SECURITY AND RISK POLICY

INFORMATION SECURITY AND RISK POLICY INFORMATION SECURITY AND RISK POLICY 1 of 12 POLICY REFERENCE INFORMATION SHEET Document Title Document Reference Number Information Security and Risk Policy P/096/CO/03/11 Version Number V02.00 Status:

More information

CCG questions: EMIS. SNOMED CT in Primary Care. Updated: 31 th July 2017

CCG questions: EMIS. SNOMED CT in Primary Care. Updated: 31 th July 2017 SNOMED CT in Primary Care Updated: 31 th July 2017 Copyright 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre is a non-departmental body created by statute,

More information

HSCIC Audit of Data Sharing Activities:

HSCIC Audit of Data Sharing Activities: Directorate / Programme Data Dissemination Services Project Data Sharing Audits Status Final Acting Director Chris Roebuck Version 1.0 Owner Rob Shaw Version issue date 17/06/2015 HSCIC Audit of Data Sharing

More information

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT AGREEMENT DATED [ ] BETWEEN: (1) SHELTERMANAGER LTD and (2) [ ] ( The Customer ) BACKGROUND (A) (B) (C) This Agreement is to ensure there is in place

More information

Information Governance Incident Reporting Policy

Information Governance Incident Reporting Policy Information Governance Incident Reporting Policy Version: 4.0 Ratified by: NHS Bury Clinical Commissioning Group Information Governance Operational Group Date ratified: 29 th November 2017 Name of originator

More information

Aneurin Bevan Health Board

Aneurin Bevan Health Board Aneurin Bevan Health Board Information Governance Committee Minutes of the meeting held on 10 February 2010, 2pm, in the Small Boardroom, Mamhilad House Present: Prof Janet Wademan - Independent Member

More information

Business Continuity Policy

Business Continuity Policy Business Continuity Policy Version Number: 3.6 Page 1 of 14 Business Continuity Policy First published: 07-01-2014 Amendment record Version Date Reviewer Comment 1.0 07/01/2014 Debbie Campbell 2.0 11/07/2014

More information

BTEC Centre Guide to Standards Verification

BTEC Centre Guide to Standards Verification BTEC Centre Guide to Standards Verification 2017-2018 Contents Introduction How to use this guide 1. What you need to do 2. What you need to know Standards verification 1. Allocation of your Standards

More information

Provider Monitoring Report. City and Guilds

Provider Monitoring Report. City and Guilds Provider Monitoring Report City and Guilds 22 May 2017 to 3 August 2017 Contents 1 Background 1 1.1 Scope 1 1.2 Provider Monitoring Report Timeline 2 1.3 Summary of Provider Monitoring Issues and Recommendations

More information

SUS RBAC Assignment Guide User guidance on Payment by Results (PbR) in SUS Payment by Results (PbR) in SUS

SUS RBAC Assignment Guide User guidance on Payment by Results (PbR) in SUS Payment by Results (PbR) in SUS SUS RBAC Assignment Guide User guidance on Payment by Results (PbR) in SUS Payment by Results (PbR) in SUS Published August 2015 We are the trusted source of authoritative data and information relating

More information

Patient Reported Outcome Measures (PROMs)

Patient Reported Outcome Measures (PROMs) Patient Reported Outcome Measures (PROMs) Published September 2017 Copyright 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre is a non-departmental body created

More information

Policy on the Standardisation of Documentation

Policy on the Standardisation of Documentation Policy on the Standardisation of Documentation Policy Number Target Audience Approving Committee IMTD001 CCG Board members and staff CCG Executive Date Approved November 2013 Last Review Date July 2016

More information

Global Specification Protocol for Organisations Certifying to an ISO Standard related to Market, Opinion and Social Research.

Global Specification Protocol for Organisations Certifying to an ISO Standard related to Market, Opinion and Social Research. CONTENTS i. INTRODUCTION 3 ii. OVERVIEW SPECIFICATION PROTOCOL DOCUMENT DEVELOPMENT PROCESS 4 1. SCOPE 5 2. DEFINITIONS 5 3. REFERENCES 6 4. MANAGEMENT STANDARDS FOR APPROVED CERTIFICATION BODIES 6 4.1

More information

Information Governance Incident Reporting Procedure

Information Governance Incident Reporting Procedure Information Governance Incident Reporting Procedure : 3.0 Ratified by: NHS Bury CCG Quality and Risk Committee Date ratified: 15 th February 2016 Name of originator /author (s): Responsible Committee /

More information

Data Loss Assessment and Reporting Procedure

Data Loss Assessment and Reporting Procedure Data Loss Assessment and Reporting Procedure Governance and Legal Services Strategy, Planning and Assurance Directorate Approved by: Data Governance & Strategy Group Approval Date: July 2016 Review Date:

More information

Hosting Your Data. Website Hosting, Security, Data Protection & Information Governance (IG)

Hosting Your Data. Website Hosting, Security, Data Protection & Information Governance (IG) Hosting Your Data Website Hosting, Security, Data Protection & Information Governance (IG) LHM is a web solutions provider that creates technology, products and software that is meaningful and measurable.

More information

Electronic Communication of Personal Health Information

Electronic Communication of Personal Health Information Electronic Communication of Personal Health Information A presentation to the Porcupine Health Unit (Timmins, Ontario) May 11 th, 2017 Nicole Minutti, Health Policy Analyst Agenda 1. Protecting Privacy

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Addressing the General Data Protection Regulation (GDPR) 2018 [EU] and the Data Protection Act (DPA) 2018 [UK] For information on this Policy or to request Subject Access please

More information

Qualification Specification

Qualification Specification BCS Level 2 Certificate in IT User Skills (ECDL Core) Version 2.0 March 2018 This is a United Kingdom government regulated qualification which is administered and approved by one or more of the following:

More information

FRIENDS AND FAMILY TEST IN GENERAL PRACTICE

FRIENDS AND FAMILY TEST IN GENERAL PRACTICE FRIENDS AND FAMILY TEST IN GENERAL PRACTICE Data submission guidance Gateway reference 02514 Contents Summary 3 Data to submit 3 Timeline 4 Submission route 4 Publication of the data 4 Validation 5 Q&A

More information

Safeguarding Adults & Mental Capacity Act Service

Safeguarding Adults & Mental Capacity Act Service Safeguarding Adults & Mental Capacity Act Service Responsible Manager & Administrative Support Service Guidance for the Management of Safeguarding Meetings including the Production & Distribution of the

More information

Motorola Mobility Binding Corporate Rules (BCRs)

Motorola Mobility Binding Corporate Rules (BCRs) Motorola Mobility Binding Corporate Rules (BCRs) Introduction These Binding Privacy Rules ( Rules ) explain how the Motorola Mobility group ( Motorola Mobility ) respects the privacy rights of its customers,

More information

Information Governance Incident Reporting Policy and Procedure

Information Governance Incident Reporting Policy and Procedure Information Governance Incident Reporting Policy and Procedure Policy Number Target Audience Approving Committee IG007 CCG/GMSS Staff CCG Chief Officer Date Approved February 2018 Last Review Date February

More information

Supporting the NHS to Improve Cyber Security. Presented by Chris Flynn Security Operations Lead NHS Digital s Data Security Centre

Supporting the NHS to Improve Cyber Security. Presented by Chris Flynn Security Operations Lead NHS Digital s Data Security Centre Supporting the NHS to Improve Cyber Security Presented by Chris Flynn Security Operations Lead NHS Digital s Data Security Centre https://www.youtube.com/watch?v=3bqt7zkkq JA 2 Start with why And why it

More information

Complaints Survey Toolkit: Implementation Guide

Complaints Survey Toolkit: Implementation Guide Complaints Survey Toolkit: Implementation Guide Contents About this handbook 1 Background 1 Timeline 2 Sampling 5 Materials and practicalities 5 Questionnaire and covering letters 5 The Mailings 6 First

More information

NHS WALES INFORMATICS SERVICE DATA QUALITY ASSURANCE NATIONAL STATISTICS

NHS WALES INFORMATICS SERVICE DATA QUALITY ASSURANCE NATIONAL STATISTICS NHS WALES INFORMATICS SERVICE DATA QUALITY ASSURANCE NATIONAL STATISTICS Version: 2.0 Date: 3 rd November 2016 Document History Document Location The source of the document will be found on the Programme

More information

Comments, Concerns, Compliments and Complaints

Comments, Concerns, Compliments and Complaints i If you need your information in another language or medium (audio, large print, etc) please contact Customer Care on 0800 374 208 or send an email to: customercare@ salisbury.nhs.uk You are entitled

More information

NWQ Capital Management Pty Ltd. Privacy Policy. March 2017 v2

NWQ Capital Management Pty Ltd. Privacy Policy. March 2017 v2 NWQ Capital Management Pty Ltd Privacy Policy March 2017 Page 1 of 8 Privacy and Spam Policy NWQ Capital Management Pty Ltd s Commitment NWQ Capital Management Pty Ltd (NWQ) is committed to providing you

More information

Data protection. 3 April 2018

Data protection. 3 April 2018 Data protection 3 April 2018 Policy prepared by: Ltd Approved by the Directors on: 3rd April 2018 Next review date: 31st March 2019 Data Protection Registration Number (ico.): Z2184271 Introduction Ltd

More information

3.1. Login via web browser Requesting access to the CSTD Manchester 4

3.1. Login via web browser Requesting access to the CSTD Manchester 4 Contents: 1. Introduction 2 2. Responsibilities 2 3. Access and login instructions: 3.1. Login via web browser 3 3.2. Requesting access to the CSTD Manchester 4 4. Sections explained: 4.1. Your CTSD user

More information

Australian Standard. Records Management. Part 2: Guidelines AS ISO ISO TR

Australian Standard. Records Management. Part 2: Guidelines AS ISO ISO TR AS ISO 15489.2 2002 ISO TR 15489-2 AS ISO 15489.2 Australian Standard Records Management Part 2: Guidelines [ISO title: Information and documentation Records management Part 2: Guidelines] This Australian

More information

National ANPR Standards for Policing: Part 1 Data Standards

National ANPR Standards for Policing: Part 1 Data Standards National ANPR Standards for Policing: Part 1 Data Standards Version 3.1 October 2016 Change History Version Date Details of Changes included in Update Author No. 1.0 May Approved Version 1 Bill Mandeville

More information

Ventilation Policy Type: Policy Register No: Status: Public. Developed in response to: Contributes to CQC Outcome number: Outcome 8 and 10

Ventilation Policy Type: Policy Register No: Status: Public. Developed in response to: Contributes to CQC Outcome number: Outcome 8 and 10 Ventilation Policy Type: Policy Register No: 11056 Status: Public Developed in response to: HTM03-01 Contributes to CQC Outcome number: Outcome 8 and 10 Consulted With Post/Committee/Group Date Louise

More information

Audit Report. City & Guilds

Audit Report. City & Guilds Audit Report City & Guilds 3 April 2014 and 5 March 2015 Contents 1 Background 1 1.1 Scope 1 1.2 Audit Report and Action Plan Timescales 2 1.3 Summary of Audit Issues and Recommendations 3 1.4 Risk Rating

More information

Qualification Specification

Qualification Specification BCS Level 1 Award in e-safety March 2018 This is a United Kingdom government regulated qualification which is administered and approved by one or more of the following: Ofqual, Qualification in Wales,

More information

NSPCC JOB DESCRIPTION

NSPCC JOB DESCRIPTION NSPCC JOB DESCRIPTION JOB TITLE: DIVISION: DEPARTMENT: LOCATION: Senior Information Specialist National Services Knowledge and Information London DATE APPROVED: January 2016 Context and Background The

More information

ISO27001:2013 The New Standard Revised Edition

ISO27001:2013 The New Standard Revised Edition ECSC UNRESTRICTED ISO27001:2013 The New Standard Revised Edition +44 (0) 1274 736223 consulting@ecsc.co.uk www.ecsc.co.uk A Blue Paper from Page 1 of 14 Version 1_00 Date: 27 January 2014 For more information

More information

Islam21c.com Data Protection and Privacy Policy

Islam21c.com Data Protection and Privacy Policy Islam21c.com Data Protection and Privacy Policy Purpose of this policy The purpose of this policy is to communicate to staff, volunteers, donors, non-donors, supporters and clients of Islam21c the approach

More information

Requirements for a Managed System

Requirements for a Managed System GDPR Essentials Requirements for a Managed System QG Publication 6 th July 17 Document No. QG 0201/4.3 Requirements for a Managed GDPR System The General Data Protection Regulation GDPR will apply in the

More information

Architecture Tool Certification Certification Policy

Architecture Tool Certification Certification Policy Architecture Tool Certification Certification Policy Version 1.0 January 2012 Copyright 2012, The Open Group All rights reserved. No part of this publication may be reproduced, stored in a retrieval system,

More information

Audit Report. Association of Chartered Certified Accountants (ACCA)

Audit Report. Association of Chartered Certified Accountants (ACCA) Audit Report Association of Chartered Certified Accountants (ACCA) 26 August 2015 Contents 1 Background 1 1.1 Scope 1 1.2 Audit Report and Action Plan Timescales 2 1.3 Summary of Audit Issues and Recommendations

More information

Setting up your GP Practice to receive NHS 111 Messages directly into EMIS Web

Setting up your GP Practice to receive NHS 111 Messages directly into EMIS Web Setting up your GP Practice to receive NHS 111 Messages directly into EMIS Web Last updated 19/02/2015 Introduction - This is a guide to explain how practices can now receive NHS 111 messages directly

More information

Data Encryption Policy

Data Encryption Policy Data Encryption Policy Document Control Sheet Q Pulse Reference Number Version Number Document Author Lead Executive Director Sponsor Ratifying Committee POL-F-IMT-2 V02 Information Governance Manager

More information

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements The GDPR and NIS Directive: Risk-based security measures and incident notification requirements Adrian Ross LLB (Hons), MBA GRC Consultant IT Governance Ltd 4 May 2017 Introduction Adrian Ross GRC consultant

More information

BODY CORPORATE REGISTRATION Application form

BODY CORPORATE REGISTRATION Application form General Optical Council BODY CORPORATE REGISTRATION Application form Please read the attached guidance notes and complete the form in full. This form is for body corporates who wish to join the General

More information

Terms and Conditions for External accounts Service

Terms and Conditions for External accounts Service Terms and Conditions for External accounts Service You must read these Terms and Conditions before using External accounts service. IMPORTANT INFORMATION External accounts service is an account aggregation

More information

The Role of the Data Protection Officer

The Role of the Data Protection Officer The Role of the Data Protection Officer Adrian Ross LLB (Hons), MBA GRC Consultant IT Governance Ltd 28 July 2016 www.itgovernance.co.uk Introduction Adrian Ross GRC consultant Infrastructure services

More information

Bring Your Own Device (BYOD) Policy

Bring Your Own Device (BYOD) Policy SH IG 58 Information Security Suite of Policies Bring Your Own Device (BYOD) Policy Version 1 Summary: Keywords (minimum of 5): (To assist policy search engine) Target Audience: Next Review Date: This

More information

Access Rights and Responsibilities. A guide for Individuals and Organisations

Access Rights and Responsibilities. A guide for Individuals and Organisations Access Rights and Responsibilities A guide for Individuals and Organisations This guide is aimed at both individuals and organisations. It is designed to bring individuals through the process of making

More information

REF FINDING EXPECTED ACTION FROM BUPA

REF FINDING EXPECTED ACTION FROM BUPA From: (HEALTH AND SOCIAL CARE INFORMATION CENTRE) [mailto @hscic.gov.uk] Sent: 24 November 2015 16:41 To: Subject: RE: Bupa supporting documents Dear Further to the data sharing audit conducted by HSCIC

More information

CERTIFICATION BODY (CB) APPROVAL REQUIREMENTS FOR THE IFFO RESPONSIBLE SUPPLY (IFFO RS) AUDITS AND CERTIFICATION

CERTIFICATION BODY (CB) APPROVAL REQUIREMENTS FOR THE IFFO RESPONSIBLE SUPPLY (IFFO RS) AUDITS AND CERTIFICATION CERTIFICATION BODY (CB) APPROVAL REQUIREMENTS FOR THE IFFO RESPONSIBLE SUPPLY (IFFO RS) AUDITS AND CERTIFICATION Introduction The IFFO RS Certification Programme is a third party, independent and accredited

More information

Code Administration Code of Practice

Code Administration Code of Practice Code Administration Code of Practice As part of the energy Codes Governance Review Ofgem proposed that a Code of Practice be established to facilitate convergence and transparency in code Modification

More information

ICO Information Request Handling Procedures

ICO Information Request Handling Procedures s 1. Introduction It is important to remember that the Information Commissioners Office (ICO) is subject to all the legislation it regulates. All requests for information to the ICO need to be handled

More information

Data Protection. Policy

Data Protection. Policy Data Protection Policy Policy adopted: April 2016 Policy review date: April 2018 OAT Model Policy 1 Contents 1. Policy statement and principles... 3 1.1 Policy aims and principles... 3 1.2 Data protection

More information

ISC: UNRESTRICTED AC Attachment. Freedom of Information and Protection of Privacy Access Request Process Audit

ISC: UNRESTRICTED AC Attachment. Freedom of Information and Protection of Privacy Access Request Process Audit Freedom of Information and Protection of Privacy Access Request Process Audit November 4, 2015 THIS PAGE LEFT INTENTIONALLY BLANK ISC: UNRESTRICTED Table of Contents Executive Summary... 4 1.0 Background...

More information

POLICY. Version: 1.1 Quality and Performance Committee Date ratified: 12 th July 2017

POLICY. Version: 1.1 Quality and Performance Committee Date ratified: 12 th July 2017 EMAIL POLICY Version: 1.1 Ratified by: Quality and Performance Committee Date ratified: 12 th July 2017 Name & Title of originator/author: John Robinson, Senior Information Governance Specialist (embed

More information

Text and messaging - Safeguarding Guidelines

Text and  messaging - Safeguarding Guidelines Safeguarding and Protecting Children Guidance SPCG 32 Text and Email messaging - Safeguarding Guidelines Text messaging and emails can help improve the success of rowing clubs, affiliated organisations

More information

UWC International Data Protection Policy

UWC International Data Protection Policy UWC International Data Protection Policy 1. Introduction This policy sets out UWC International s organisational approach to data protection. UWC International is committed to protecting the privacy of

More information

CommuniGator. Your GDPR. Compliance Checklist

CommuniGator. Your GDPR. Compliance Checklist CommuniGator Your GDPR Compliance Checklist The impact of the EU GDPR on your business As of April 2016, the EU General Data Protection Regulation was adopted but it does not come into force until 25th

More information

UNIVERSITY OF LEICESTER, UNIVERSITY OF LOUGHBOROUGH & UNIVERSITY HOSPITALS OF LEICESTER NHS TRUST JOINT RESEARCH & DEVELOPMENT SUPPORT OFFICE

UNIVERSITY OF LEICESTER, UNIVERSITY OF LOUGHBOROUGH & UNIVERSITY HOSPITALS OF LEICESTER NHS TRUST JOINT RESEARCH & DEVELOPMENT SUPPORT OFFICE UNIVERSITY OF LEICESTER, UNIVERSITY OF LOUGHBOROUGH & UNIVERSITY HOSPITALS OF LEICESTER NHS TRUST JOINT RESEARCH & DEVELOPMENT SUPPORT OFFICE STANDARD OPERATING PROCEDURES University of Leicester (UoL)

More information

The Open Group Certification for People. Training Course Accreditation Requirements

The Open Group Certification for People. Training Course Accreditation Requirements The Open Group Certification for People Training Course Accreditation Requirements Version 1.1 February 2014 Copyright 2013-2014, The Open Group All rights reserved. No part of this publication may be

More information

I appreciate it is a busy time of year.

I appreciate it is a busy time of year. From: "Greenop, Daz" Subject: RE: Evaluation of NHS England Whistleblower Employment Support Date: 29 September 2017 at 20:43:36 BST To: 'Minh Alexander' No Probs

More information

National Certificate in Public Sector Services (Induction) (Level 3)

National Certificate in Public Sector Services (Induction) (Level 3) National Certificate in Public Sector Services (Induction) (Level 3) An induction programme that covers the key skills, knowledge and competencies that underpin New Zealand s public sector, this training

More information

St Bernard s Primary School Data Protection Policy

St Bernard s Primary School Data Protection Policy St Bernard s Primary School Data Protection Policy St Bernard s RC Primary School, A Voluntary Academy Approved by Governors: 11.11.2015 Review date: Autumn 2016 St Bernard s Data Protection Policy General

More information

ACCREDITATION OF CERTIFICATION BODIES OF SOCIAL ACCOUNTABILITY SYSTEMS SAAS ACCREDITATION REQUIREMENTS TABLE OF CONTENTS

ACCREDITATION OF CERTIFICATION BODIES OF SOCIAL ACCOUNTABILITY SYSTEMS SAAS ACCREDITATION REQUIREMENTS TABLE OF CONTENTS SOCIAL ACCOUNTABILITY ACCREDITATION SERVICES ACCREDITATION OF CERTIFICATION BODIES OF SOCIAL ACCOUNTABILITY SYSTEMS SAAS ACCREDITATION REQUIREMENTS TABLE OF CONTENTS 1.0 INTRODUCTION 2 2.0 REFERENCES 2

More information

Application to Join PVG

Application to Join PVG Application to Join PVG Guidance for Applicants You have been given these guidance notes as you are applying to join the PVG Scheme to carry out regulated work (either paid or unpaid) with a voluntary

More information

econtract System User Guide

econtract System User Guide NHS Standard Contract econtract System User Guide NHS England INFORMATION READER BOX Directorate Medical Operations and Information Specialised Commissioning Nursing Trans. & Corp. Ops. Strategy & Innovation

More information

Badminton England - Data protection Guidance for clubs and counties.

Badminton England - Data protection Guidance for clubs and counties. Badminton England - Data protection Guidance for clubs and counties. This leaflet is intended to provide general guidance for clubs and counties with respect to data protection. It does not however capture

More information

Training Manual for HR Managers ( Business Unit Admin level)

Training Manual for HR Managers ( Business Unit Admin level) UK Umbrella Service Ltd online DBS applications Training Manual for HR Managers ( Business Unit Admin level) UK Umbrella Service Ltd Page 1 of 12 1 Accessing the system: From the Log In page: https://ukdbschecks.employmentcheck.org.uk/user_login.php

More information

Information Security Incident

Information Security Incident Good Practice Guide Author: A Heathcote Date: 22/05/2017 Version: 1.0 Copyright 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre is a non-departmental body

More information

Data Breach Notification: what EU law means for your information security strategy

Data Breach Notification: what EU law means for your information security strategy Data Breach Notification: what EU law means for your information security strategy Olivier Proust December 8, 2011 Hunton & Williams LLP Key points 1. Introduction 2. Overview of data breach requirements

More information

Technical Advisory Board (TAB) Terms of Reference

Technical Advisory Board (TAB) Terms of Reference Technical Advisory Board (TAB) Terms of Reference ACS Technical Advisory Board Terms of Reference V1.1 27 May 2017 Page 1 ACS Technical Advisory Board Terms of Reference V1.1 27 May 2017 Page 1 CONTENTS

More information

ICT Portable Devices and Portable Media Security

ICT Portable Devices and Portable Media Security ICT Portable Devices and Portable Media Security Who Should Read This Policy Target Audience All Trust Staff, contractors, and other agents, who utilise trust equipment and access the organisation s data

More information

Accreditation & Certification Supplier Guide

Accreditation & Certification Supplier Guide Accreditation & Certification Supplier Guide Network Connectivity Products and Services Connected Health Version 1.0 Table of Contents 1 PREFACE... 3 1.1 AUDIENCE...3 1.2 PURPOSE...3 1.3 SCOPE...3 2 CONNECTED

More information

DLP Data Recipient Spec Manager User Guide

DLP Data Recipient Spec Manager User Guide DLP Data Recipient Spec Manager User Guide Guidance for Specification Manager/Data Recipient in using the Data Landing Portal (DLP) Copyright 2016 Health and Social Care Information Centre. Contents Overview

More information

Enviro Technology Services Ltd Data Protection Policy

Enviro Technology Services Ltd Data Protection Policy Enviro Technology Services Ltd Data Protection Policy 1. CONTEXT AND OVERVIEW 1.1 Key details Rev 1.0 Policy prepared by: Duncan Mounsor. Approved by board on: 23/03/2016 Policy became operational on:

More information

Privacy Policy Wealth Elements Pty Ltd

Privacy Policy Wealth Elements Pty Ltd Page 1 of 6 Privacy Policy Wealth Elements Pty Ltd Our Commitment to you Wealth Elements Pty Ltd is committed to providing you with the highest levels of client service. We recognise that your privacy

More information

SAMPLE REPORT. Business Continuity Gap Analysis Report. Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx

SAMPLE REPORT. Business Continuity Gap Analysis Report. Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx SAMPLE REPORT Business Continuity Gap Analysis Report Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx COMMERCIAL-IN-CONFIDENCE PAGE 1 OF 11 Contact Details CSC Contacts CSC

More information

PFE Online Application Help File

PFE Online Application Help File PFE Online Application Help File Please follow this step-by-step guide to help complete the PFE online application form for Educational Oversight. (Please note, failure to complete all required information

More information

Network Certification Body

Network Certification Body Network Certification Body Scheme rules for assessment of railway projects to requirements of the Railways Interoperability Regulations as a Notified and Designated Body 1 NCB_MS_56_Notified and Introduction

More information

Communications Strategy

Communications Strategy Communications Strategy DOCUMENT PROFILE Short Title Document Purpose Target Audience Author Communications Strategy Outline of SPB strategies for communication Board members and staff; Agencies, Partners,

More information

DSA-QAG NMH - Audit Portal Guidance

DSA-QAG NMH - Audit Portal Guidance DSA-QAG NMH - Audit Portal Guidance Date: 11 January 2017 Version: 1.0 Document Management Revision History Version Date Changes page 2 of 12 Table of Contents 1 INTRODUCTION... 4 1.1 DSA-QAG... 4 1.2

More information

Google Cloud & the General Data Protection Regulation (GDPR)

Google Cloud & the General Data Protection Regulation (GDPR) Google Cloud & the General Data Protection Regulation (GDPR) INTRODUCTION General Data Protection Regulation (GDPR) On 25 May 2018, the most significant piece of European data protection legislation to

More information

DOCUMENT NO. CSWIP-PED Requirements for the approval of NDT Personnel CERTIFICATION SCHEME FOR PERSONNEL. 2 nd Edition January 2011

DOCUMENT NO. CSWIP-PED Requirements for the approval of NDT Personnel CERTIFICATION SCHEME FOR PERSONNEL. 2 nd Edition January 2011 CERTIFICATION SCHEME FOR PERSONNEL DOCUMENT NO. CSWIP-PED -2-01 Requirements for the approval of NDT Personnel 2 nd Edition January 2011 Issued under the authority of the Governing Board for Certification

More information

This report was prepared by the Information Commissioner s Office, United Kingdom (hereafter UK ICO ).

This report was prepared by the Information Commissioner s Office, United Kingdom (hereafter UK ICO ). REPORT TO THE 38 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS - MOROCCO, OCTOBER 2016 ON THE 5 th ANNUAL INTERNATIONAL ENFORCEMENT COOPERATION MEETING HELD IN MANCHESTER, UK,

More information

Data Processor Agreement

Data Processor Agreement Data Processor Agreement Data Controller: Customer located within the EU (the Data Controller ) and Data Processor: European Representative Company: ONE.COM (B-one FZ-LLC) One.com A/S Reg.no. Reg.no. 19.958

More information

Use of data processor (external business unit)

Use of data processor (external business unit) Published with the support of: Code of conduct for information security www.normen.no Use of data processor (external business unit) Supporting document Fact sheet no 10 Version: 4.0 Date: 12 Feb 2015

More information

Short Guide to using the Report Template (Version 3)

Short Guide to using the Report Template (Version 3) INTRODUCTION 1. This short guide explains how staff should use the Report Template (Version 3) when preparing reports for consideration at the Mersey Care s Board of Directors or any of its committees,

More information

POSIX : Certified by IEEE and The Open Group. Certification Policy

POSIX : Certified by IEEE and The Open Group. Certification Policy POSIX : Certified by IEEE and The Open Group Certification Policy Prepared by The Open Group October 21 2003 Revision 1.1 Table of Contents 1. Overview...4 1.1 Introduction...4 1.2 Terminology and Definitions...5

More information

UKIP needs to gather and use certain information about individuals.

UKIP needs to gather and use certain information about individuals. UKIP Data Protection Policy Context and overview Key details Policy Update Prepared by: D. Dennemarck / S. Turner Update approved by Management on: November 6, 2015 Policy update became operational on:

More information

EBMT. European Society for Blood and Marrow Transplantation. Version 5.2. Last review 02/02/2018

EBMT. European Society for Blood and Marrow Transplantation. Version 5.2. Last review 02/02/2018 EBMT European Society for Blood and Marrow Transplantation REGISTRY FUNCTION Person responsible Registry Head Version 5.2 Last review 02/02/2018 Approved Registry Committee All comments regarding this

More information

Introduction 1. This policy applies, irrespective of length of service or duration of contract to:

Introduction 1. This policy applies, irrespective of length of service or duration of contract to: Data Disclosure Control Policy Introduction 1. This policy applies, irrespective of length of service or duration of contract to: employees of HEFCW temporary or contract staff engaged by HEFCW, including

More information

A S ISO Records Management Part 1: General

A S ISO Records Management Part 1: General AS ISO 15489.1 2002 ISO 15489-1 AS ISO 15489.1 Australian Standard Records Management Part 1: General [ISO title: Information and documentation Records management Part 1: General] This Australian Standard

More information

Severn Trent Water. Telecommunications Policy and Access Procedure

Severn Trent Water. Telecommunications Policy and Access Procedure Severn Trent Water Telecommunications Policy and Access Procedure Contents STW Telecommunications Policy: 5-12 Health and Safety: 13-18 Access Procedures:19-30 2 STW LSH Sites Access Policy [Controlled

More information

Information Governance and Code of Conduct

Information Governance and Code of Conduct This document is also available in other languages and formats upon request Information Governance and Code of Conduct For further information and guidance contact the Information Governance team: Tel:

More information